Open source software security

Drupal Organic Groups Menu Module 6.x-2.0 XSS Vulnerability

Description of Vulnerability:

CVE-2010-1747

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal OG Menu module (http://drupal.org/project/og_menu) "allows users to manage menus by Organic Groups." The Drupal OG Menu module contains a cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize menu descriptions before display.

Systems affected:

Drupal 6.16 with OG Menu 6.x-2.0 was tested and shown to be vulnerable

Impact

User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise.

Mitigating factors:

In order to execute the proof of concept described below malicious users must have 'Administer og menu' permission.

Proof of Concept:

Install Drupal 6.16, Organic Groups module and OG Menu module

Create or view a piece of content in an organic group

Click on the 'Menu' link to view ?q=node/XX/og_menu where XX is the node id

Click the 'Add Menu' link to view ?q=node/XX/og_menu/add

Fill in arbitrary values for the 'Menu name' and 'Title', enter "<script>alert('xss');</script>" in the 'Description' text area